phpustik MCP Server
Auto-detects CakePHP projects and provides integration with its console commands for project management and diagnostics.
Auto-detects CodeIgniter projects and enables integration with CodeIgniter's tools for routing and project management.
Manages Composer dependencies including validation, security audit, package installation, and updates.
Runs Laravel artisan commands, lists routes, and provides framework-aware static analysis and security scanning.
Runs Symfony console commands, detects Symfony projects, and integrates with Symfony's ecosystem for code analysis.
Auto-detects WordPress projects and applies specialized security and code quality scans tailored for WordPress.
Auto-detects Yii projects and provides integration with Yii's console tools for project management.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@phpustik MCP Serverrun PHPStan level 5 on the src directory"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
π phpustik β MCP Server for PHP
AI'nin PHP gΓΆzΓΌ, kulaΔΔ± ve eli olacak.
MCP Sunucusu Β· Tek npx ile AI asistanΔ±nΔ±za PHP runtime, statik analiz, gΓΌvenlik taramasΔ±, test koΕucusu, Composer ve framework entegrasyonu kazandΔ±rΔ±r.
π·οΈ MCP Server | PHP Tools | AI Integration | Static Analysis | Composer | Laravel | Symfony
"The bridge between AI assistants and the PHP ecosystem."
Production-grade MCP server that gives AI assistants deep visibility into the entire PHP ecosystem β runtime, linting, static analysis, security, testing, Composer and framework tools.
Works with Claude Desktop, Cursor, Claude Code, Opencode, Cline and any MCP-compatible client.
A Model Context Protocol server for PHP β written in TypeScript, shipped as a single
npx-able package, battle-tested on Windows, macOS and Linux.
π― Vision: Make every AI assistant a PHP expert β no Config, no Setup, justnpx phpustik.
Features Β· Installation Β· Usage Β· Tools Β· Resources Β· Prompts Β· Integrations
π Table of contents
Tools β 31 tools in 9 categories
Resources β 8 read-only data sources
Prompts β 7 pre-baked workflows
Related MCP server: Xdebug MCP Server
π‘ Why phpustik?
AI assistants like Cursor, Claude Desktop, Claude Code and Opencode are increasingly good at writing PHP, but they remain blind to the runtime they target:
They don't know which PHP version is installed.
They cannot run
php -lto catch a missing semicolon.They cannot invoke PHPStan, Psalm, PHP-CS-Fixer, PHPUnit, Rector, PHPMD, PHPCSβ¦
They cannot manage Composer packages, audit security, or detect the framework.
They cannot run Laravel artisan or Symfony console commands.
phpustik closes that gap. It is a self-contained MCP server that exposes 31 tools, 8 resources and 7 prompts to the model β across runtime, static analysis, security, testing, refactoring, dependency management and framework integration.
It is:
Production-ready β strict TypeScript, no
any, exhaustive error handling, structured logs.Cross-platform β Windows, macOS, Linux, WSL. Path handling is normalised centrally.
Safe by default β
execFile(no shell), deterministic timeouts, output capping,isError: trueon every failure.Honest β if a binary is missing, the model is told exactly which command to run.
π¦ What's inside
Category | Count | Examples |
π Tools | 33 |
|
π Resources | 8 |
|
π¬ Prompts | 7 |
|
π§° PHP tools wired | 11 | PHP, Composer, PHPStan, Psalm, PHPMD, PHPCS, PHPMND, Rector, PHP Insights, PHPCPD, PHPUnit |
π Killer features | 2 |
|
π‘ MCP v2 features | 3 | Logging notifications, progress reporting, cancellation |
β¨ Features
Area | What you get |
MCP protocol | Implements |
Transport |
|
Validation | Zod v4 input validation on every tool β invalid calls are rejected before any IO. |
MCP logging | Real-time |
Progress |
|
Cancellation | AbortSignal-aware; long ops are tracked and can be killed if the user cancels. |
Structured output |
|
Error UX | Friendly, actionable messages for missing binaries, timeouts, permission errors. |
Cross-platform | POSIX, Windows, UNC, WSL, |
Security | No |
Observability | Stderr-only logger with |
Workspace-aware | Auto-detects project root from |
Framework-aware | Auto-detects Laravel, Symfony, WordPress, CodeIgniter, Yii, Slim, Laminas, Phalcon, CakePHP. |
Caching | TTL cache for expensive ops (composer info, phpstan, audits) β 60 s default. |
Distribution |
|
CI / Release | GitHub Actions matrix (3 OS Γ 3 Node versions), |
π©Ί Killer features
phpustik_doctor β one-shot health check
A single tool call that runs the entire PHP quality pipeline and produces a prioritised Markdown + JSON report.
{
"tool": "phpustik_doctor",
"arguments": {
"category": "all",
"failOn": "high",
"skipTests": false,
"fix": false,
"json": false
}
}Runs
composer validate,composer audit,analyze_php_code,run_phpcs,run_phpmd,run_phpunit,scan_secrets,scan_vulnerable_functions,scan_sql_injection,scan_xss,check_php_compatibility,suggest_refactoring,get_php_ini,detect_framework,get_php_infoβ in order, with progress notifications.Returns a unified Markdown report plus a typed
DoctorReportstructured content (overall status, per-check severity, fixable count, recommendations).failOnlets the model or CI fail at a configurable severity threshold.json: truemode for CI pipelines (returns only the structured content).category: security|quality|styleto run a targeted subset.
phpustik_init β project bootstrap
Generates optimal config files for a PHP project, tailored to its framework and PHP version.
{
"tool": "phpustik_init",
"arguments": {
"dryRun": true,
"force": false,
"phpstanLevel": "5",
"psalmLevel": "4",
"phpVersions": "8.1,8.2,8.3,8.4"
}
}Detects
composer.json,composer.lock, framework, PHP version.Generates up to 11 config files:
phpstan.neon,psalm.xml,.php-cs-fixer.php,rector.php,phpmd.xml,phpcs.xml,phpunit.xml,.editorconfig,.gitattributes,.github/workflows/ci.yml,bin/pre-commit.All templates hand-tuned for low false-positive rate, modern PHP, PSR-12 + strict types.
dryRun: true(default) shows a unified diff without touching disk.force: trueoverwrites existing files; default is "keep what's there".only: "phpstan.neon,phpunit.xml"restricts to a subset.
π Architecture
ββββββββββββββββββββββββ JSON-RPC over stdio ββββββββββββββββββββββββββββββββββββββββββ
β MCP client β ββββββββββββββββββββββΆ β phpustik server β
β (Cursor / Claude / β β (TypeScript, ESM) β
β Opencode / Cline) β β β
ββββββββββββββββββββββββ β 33 tools β 8 resources β 7 prompts β
ββββββββββββββββββββ¬ββββββββββββββββββββββ
β
ββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββ¬βββ΄ββββββββββββββββββββββββββββββ
β β β β
βΌ βΌ βΌ βΌ
ββββββββββ ββββββββββ ββββββββββββββ ββββββββββββββ ββββββββββββββββ ββββββββββββββββ βββββββββββββββ
β php β β composerβ β phpstan / β β phpcs / β β rector / β β laravel / β β pattern β
β -v -m β β * β β psalm / β β phpmd / β β insights / β β symfony β β scanner β
β -l -i β β β β phpmnd β β phpcpd β β phpcpd β β console β β (secrets, β
β -r β β β β β β β β β β β β SQLi, XSS) β
ββββββββββ ββββββββββ ββββββββββββββ ββββββββββββββ ββββββββββββββββ ββββββββββββββββ βββββββββββββββSource layout
src/
βββ index.ts # entry point
βββ server.ts # bootstrap (tools + resources + prompts)
βββ constants.ts # binary names, install hints, timeouts
βββ prompts.ts # 7 MCP prompts
βββ resources.ts # 8 MCP resources
βββ tools/
β βββ get-php-info.ts
β βββ lint-php-file.ts
β βββ analyze-php-code.ts
β βββ format-php-code.ts
β βββ run-php-script.ts
β βββ show-opcache-status.ts
β βββ get-extension-info.ts
β βββ get-php-ini.ts
β βββ check-php-compatibility.ts
β βββ run-phpunit.ts
β βββ run-psalm.ts
β βββ run-phpmd.ts
β βββ run-phpcs.ts
β βββ run-phpmnd.ts
β βββ run-phpcpd.ts
β βββ run-phpinsights.ts
β βββ run-rector.ts
β βββ composer.ts # 9 composer_* tools
β βββ scan-security.ts # 4 scan_* tools
β βββ codegen.ts # add_strict_types, generate_phpdoc, suggest_refactoring
β βββ framework.ts # detect + Laravel + Symfony tools
β βββ doctor.ts # phpustik_doctor
β βββ init.ts # phpustik_init
βββ utils/
βββ executor.ts # execFile wrapper, no shell, timeouts
βββ paths.ts # cross-platform path normalisation
βββ logger.ts # stderr-only structured logger
βββ responses.ts # uniform MCP tool responses
βββ workspace.ts # project root auto-detection
βββ framework-detector.ts
βββ patterns.ts # secrets / SQLi / XSS / vuln-func catalogues
βββ scan-runner.ts # pattern-scan engine
βββ file-scanner.ts # FS walker with skips
βββ cache.ts # TTL cache
βββ active-ops.ts # AbortController registry for cancellation
βββ notification-sink.ts # MCP logging/progress bridge
βββ config-templates.ts # init tool generatorsβ Prerequisites
Software | Minimum | Required for |
Node.js | 20.0 LTS | Running the MCP server |
npm | 10 (bundled) | Package manager (or |
PHP | 8.0+ | All PHP-runtime tools |
Composer | 2.x |
|
PHPUnit | 10+ |
|
PHPStan | 1.x or 2.x |
|
Psalm | 5+ |
|
PHPMD | 2.x |
|
PHPCS | 3.x |
|
PHPMND | 3.x |
|
Rector | 1.x |
|
PHP Insights | 2.x |
|
PHPCPD | 6+ |
|
PHP-CS-Fixer | 3.x |
|
All of these are optional β phpustik will tell you which to install when a tool needs a missing binary.
Quick check
node -v # v20 or higher
php -v # PHP 8.0 or higher
composer --versionπ Installation
1. Install PHP
OS | Command |
macOS |
|
Ubuntu/Zorin |
|
Fedora |
|
Alpine |
|
Windows | Download from https://windows.php.net/download/ or |
2. Install Composer
# macOS / Linux / WSL
curl -sS https://getcomposer.org/installer | php
sudo mv composer.phar /usr/local/bin/composer
# Windows (PowerShell)
Invoke-WebRequest https://getcomposer.org/installer -OutFile composer-setup.php
php composer-setup.php
Move-Item composer.phar C:\Program Files\composer\composer.exe3. Install all PHP tools (optional but recommended)
composer global require \
phpstan/phpstan \
vimeo/psalm \
phpmd/phpmd \
squizlabs/php_codesniffer \
povils/phpmnd \
sebastianbergmann/phpcpd \
nunomaduro/phpinsights \
rector/rector \
friendsofphp/php-cs-fixer \
phpcompatibility/php-compatibilityMake sure ~/.composer/vendor/bin (Linux/macOS) or %USERPROFILE%\Composer\vendor\bin (Windows) is on your PATH.
4. Install phpustik
# Option A: run on demand
npx -y phpustik
# Option B: install globally
npm install -g phpustik
phpustikπ Usage
Quick start with npx
npx -y phpustikYou'll see on stderr:
[INFO] server.boot {"name":"phpustik","version":"1.0.0"}
[INFO] server.php_detected {"version":"PHP 8.3.6 (cli)"}
[INFO] server.ready {"transport":"stdio"}Local development
git clone https://github.com/halitartuc/phpustik.git
cd phpustik
npm install
npm run dev # tsx, no buildInspect with the MCP Inspector
npm run inspectThis opens a local web UI where you can call every tool by hand.
π Tools (33)
All tools accept JSON Schema (Zod-validated) input and return MCP text content (and, where useful, a typed structuredContent companion). Tools marked β οΈ are destructive (they modify the filesystem). Tools marked π require project-level configuration.
π PHP Runtime & Environment (5)
Tool | Purpose |
| PHP sΓΌrΓΌmΓΌ, modΓΌller, INI. |
| OPcache + JIT (PHP 8+) durumu. |
| Tek bir eklentinin fonksiyon/sabit/INI detayΔ±. |
| Aktif php.ini, tarama dizini, direktifler. |
| PHPCompatibility ile hedef PHP sΓΌrΓΌm denetimi. |
π§ͺ Linting, Formatting & Syntax (4)
Tool | Purpose |
|
|
| PHP_CodeSniffer (PSR12, Squiz, vb.). |
| PHP-CS-Fixer (PSR-12) β dry-run veya apply. |
| Dosyaya |
π Static Analysis (6)
Tool | Purpose |
| PHPStan seviye 0βmax. |
| Psalm seviye 1β8. |
| Mess Detector (karmaΕΔ±klΔ±k, unused code, design). |
| Magic number tespiti. |
| Copy-paste tespiti. |
| Genel kod kalite skoru (Code / Architecture / Style / Complexity). |
π Refactoring & Codegen (3)
Tool | Purpose |
| Otomatik refactoring β |
| Eksik PHPDoc bloklarΔ±nΔ± raporlar. |
| Uzun metod, god class, derin nesting heuristik ΓΆnerileri. |
βΆοΈ Execution & Testing (2)
Tool | Purpose |
| Δ°zole temp dosyada PHP kodu Γ§alΔ±ΕtΔ±r. β οΈ |
| PHPUnit testleri (filter, testdox, coverage). |
π¦ Composer (9)
Tool | Purpose |
| YΓΌklΓΌ paketler / belirli paket bilgisi. |
|
|
| Bilinen CVE taramasΔ±. |
| GΓΌncellenmesi gereken paketler. |
| Paket ekle. β οΈ |
| Paket kaldΔ±r. β οΈ |
|
|
|
|
|
|
π Security (4)
Tool | Purpose |
| Hardcoded API key, private key, token, basic-auth URL. |
|
|
| Query string concatenation, |
| Unescaped |
π Framework Integration (7)
Tool | Purpose |
| Laravel / Symfony / WordPress / β¦ otomatik tespit. |
|
|
| TΓΌm route'lar (method, uri, name, action, middleware). |
|
|
|
|
|
|
π Meta-tools (2)
Tool | Purpose |
| Tek Γ§aΔrΔ±da tΓΌm kalite/gΓΌvenlik/test kontrollerini Γ§alΔ±ΕtΔ±rΔ±r, priorize rapor dΓΆner. |
| PHPStan / Psalm / Rector / phpcs / phpunit / .editorconfig / .gitattributes / CI workflow ΓΌretir. |
π Resources (8)
Resources are server-side data the model can read on demand to enrich its context. No parameters required.
URI | MIME | Description |
|
| Aktif proje ΓΆzeti (root, config dosyalarΔ±). |
|
| composer.json iΓ§eriΔi. |
|
| composer.json |
|
|
|
|
| Tespit edilen framework + sΓΌrΓΌm. |
|
|
|
|
|
|
|
| Sistem + proje INI dosyalarΔ±. |
π¬ Prompts (7)
Prompts are pre-baked, parameterised workflows the model can invoke.
Prompt | Arguments | Purpose |
|
| PSR-12, gΓΌvenlik ve performans review. |
|
| Satır satır kod açıklaması. |
|
| Somut refactoring ΓΆnerileri + deΔiΕiklik ΓΆrnekleri. |
|
| PHPUnit testi ΓΌret. |
|
| Pest testi ΓΌret. |
|
| 4'lΓΌ gΓΌvenlik taramasΔ± baΕlat. |
|
| PHP sΓΌrΓΌm yΓΌkseltme yol haritasΔ±. |
π Integrations
The server speaks stdio MCP β any client that supports MCP can use it.
Cursor
Settings β MCP β + Add new global MCP server:
{
"mcpServers": {
"phpustik": {
"command": "npx",
"args": ["-y", "phpustik"]
}
}
}Claude Desktop
Edit claude_desktop_config.json:
{
"mcpServers": {
"phpustik": {
"command": "npx",
"args": ["-y", "phpustik"]
}
}
}Claude Code (CLI)
claude mcp add phpustik -- npx -y phpustik
claude mcp listOpencode
~/.config/opencode/mcp.json:
{
"mcpServers": {
"phpustik": {
"command": "npx",
"args": ["-y", "phpustik"]
}
}
}Cline / Continue.dev
.vscode/cline_mcp_settings.json:
{
"mcpServers": {
"phpustik": { "command": "npx", "args": ["-y", "phpustik"] }
}
}βοΈ Configuration
All via env vars. Everything has a sensible default.
Variable | Default | Description |
|
|
|
|
| Tool result cache TTL (ms). |
|
| Default command timeout. |
|
| Override PHPStan binary path. |
|
| Override Psalm binary path. |
|
| Override PHPCS binary path. |
| β | The system PATH is used to find every PHP tool. |
π§― Troubleshooting
Common issues & fixes:
Make sure the MCP client config is valid JSON. Trailing commas break it.
Restart the MCP client after editing the config.
Run the server manually:
npx -y phpustik. If it crashes, the issue is server-side.
composer global require phpstan/phpstanMake sure ~/.composer/vendor/bin is on your PATH. Restart the terminal and the MCP client.
Add C:\php to Path in System Environment Variables, then restart the terminal and the MCP client.
The server sends logs to stderr and protocol frames to stdout. If your client shows nothing, set PHPUSTIK_LOG_LEVEL=debug and check its log panel.
npm install @cfworker/json-schemaIt's a peer dep of the MCP SDK v2 alpha.
π Security
No
shell: true. Every command runs throughexecFileβ arguments are never parsed as shell.Every tool input goes through Zod validation before any IO.
File-system access is read-only by default. Destructive tools are clearly marked β οΈ.
Output buffers are capped at 1 MiB per stream.
File contents are never logged β only paths and metadata.
Please report security issues privately β see SECURITY.md.
πΊ Roadmap
php -Smanaged dev server toolphpdbginteractive debuggingphp -dini override previewDocker image:
phpustik/phpustik:latestwith every tool pre-installedHTTP/SSE transport for remote deployments
VS Code extension proxy
GitHub Actions annotation output for CI integration
π€ Contributing
See CONTRIBUTING.md. Run npm run lint && npm run typecheck && npm run build before opening a PR.
π License
MIT β Β© 2024-2026 phpustik contributors.
π Acknowledgements
The Model Context Protocol team for the spec and SDK.
PHPStan, Psalm, PHPMD, PHPCS, Rector, PHP Insights and PHP-CS-Fixer β every PHP tool that makes this server possible.
Composer for dependency management.
Everyone who βοΈs, opens issues or sends PRs.
Made with β€οΈ for the PHP + AI community.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/halitartuc/phpustik'
If you have feedback or need assistance with the MCP directory API, please join our Discord server